Decathlon Exposes 123 Million Records

French sporting goods retailer Decathlon has become the latest addition to the list of big brands that have been hit by a data breach.

On Monday, Feb 24, researchers at vpnMentor revealed they had found a leaky database on a publicly accessible Elasticsearch server belonging to Decathlon. On a post published on their site, the team said over 123 million records, as well as 9GB of data, was found on the leaky server containing personal information belonging to Decathlon employees and many others.

“The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” the report explained.

Decathlon Data Breach

Among the personal information impacted on the breach include employees’ full names, usernames, passwords, API logs, PII, nationalities, contact numbers, addresses, birth dates, educational background, employment contract information, and many others.

As stated by the researchers, the breach was first discovered on the 12th of February. Four days after, on Feb 16, the cybersecurity experts said they have notified Decathlon about the data discovered, and it was immediately closed by the following day, Feb 17.

In explaining why it took days for them to notify the company, the researchers clarified that they needed days of investigation in order to identify “what’s at stake or who’s leaking the data.”

“Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness,” the report explained.

“Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.”

At the course of the investigation, researchers at vpnMentor said they were able to trace back the database to Decathlon Spain, “with a strong possibility of Decathlon United Kingdom information included as well.” However, the team clarified that they haven’t gone through all of the 123 million records exposed, making it possible that there are other more locations impacted in the incident.

According to the group, victims of the breach are at risk of facing a number of potential security threats, including corporate espionage, phishing, and identity theft.

“Decathlon could have easily avoided this leak if they had taken some basic security measures to protect the database,” the researchers argued.